Restricted groups policies allow you to control the membership of sensitive groups through Active Directory rather than through traditional group membership editing tools such as Active Directory Users and Computers or PowerShell. The benefit of using restricted groups policies is that group membership is reset each time group policy refreshes. Thus the next group policy refresh will reset a group’s membership to an approved list if, for some reason, a user is added to a sensitive group where they should not have been. http://www.youtube.com/watch?v=5hgxg1TMhLI&feature=player_embedded